Attack code published for 'critical' IE flaw; Patch your browser now

Microsoft has confirmed that this flaw is being used in “limited attacks” but the company has not (yet) updated its MS12-037 bulletin to make it clear that public exploit code is now widely available.

Last week, when Microsoft released the critical Internet Explorer update,the company issued a warningthat working exploit code could be released within 30 days.

Less than a week later, an exploit for one of the “critical” browser flaw has been fitted into the freely available Metasploit point-and-click attack tool and sampleshave been released to Contagio, a blog that tracks live malware attacks.

The addition of the exploit into Metasploit effectively means that cyber-criminals now have access to copy the attack code for use in exploit kit and other mass malware attacks.

The vulnerability (CVE-2012-1875) is a remote code execution flaw in the way that Internet Explorer accesses an object that has been deleted. The vulnerability may corrupt memory in such a way that an attacker could execute arbitrary code in the context of the current user.

Microsoft has confirmed that this flaw is being used in “limited attacks” but the company has not (yet) updated itsMS12-037bulletin to make it clear that public exploit code is now widely available.

The exploit works across all major Windows platforms, including Windows Vista and Windows 7. It leverages return-oriented programming (ROP) exploitation technology to bypass with data execution (DEP) and address space layout randomization (ASLR) protections, and hook-hopping evasion techniques to evade host-based IPS detections. It requires the victim’s system to run an old Java virtual machine that came with a non-ASLR version of msvcr71.dll. If Java is not installed or there is no non-ASLR version of msvcr71.dll in the system, the exploit won’t work, although it will cause IE to crash.

On Windows XP, the vulnerability can be reliably exploited without any third-party component. We found the exploit tried to download and execute a binary from a remote server. The server was hosted by Yahoo and was taken down the same day we reported this to Microsoft.

Researchers at AlienVault Labs arereporting the discoveryof “several servers hosting similar versions of the exploit.” It also said the exploit supports a wide range of languages and Windows versions (from Windows XP through Windows 7) and appears to be very reliable.